Hacker intercepted authentication SMS to access database
Threats / Reddit data breach: Hacker intercepted authentication SMS to access database
2 August 2018
Social media platform Reddit announced on Wednesday that it had suffered a data breach after a hacker gained access to a database that contained personal details of users. Even though the database was protected by two-factor authentication, the hacker found his way in by intercepting authentication SMSes that were sent to employees’ accounts with cloud and source code hosting providers.
Two-factor authentication no longer secure
The hack took place between 14th and 18th of June and involved the compromise of Reddit’s employees’ accounts to begin with. Reddit did have two-factor authentication in place to deter hackers from accessing its systems and databases, but since SMS was part of the authentication process, the hacker used the loophole to gain access to Reddit’s databases.
Christopher Slowe, Reddit’s founding engineer, said in a post on the platform that the company has learned its lesson and has since adopted token-based two-factor authentication to prevent the use of similar tactics by hackers in future. “We point this out to encourage everyone here to move to token-based 2FA,” he wrote.
Even though the hacker did not gain write access to Reddit systems, he/she did gain access to a database that contained data of users who joined Reddit between 2005 and May 2007, including account credentials (username + salted hashed passwords), email addresses, and public and private messages.
The hacker also gained access to email digests sent by Reddit to users between June 3 and June 17 this year. According to Reddit, the digests contained “a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to”.
Reddit observed the intrusion on 19th June and has since informed law enforcement authorities, ensured the implementation of token-based two-factor authentication along with enhanced logging and more encryption, and asked affected customers to change their passwords.
Slowe added that even though Reddit hired a Head of Security less than three months ago, the latter hasn’t been asked to leave yet but Reddit is now looking for candidates to fill two additional security roles, namely Cloud Security Engineer and Threat Detection Automation Engineer.
Multi-factor authentication a must for all firms
Commenting on the expert hack of Reddit’s database, Sean Sullivan, Security Advisor at F-Secure, said that SMS-based two-factor authentication was never a perfect solution and Reddit won’t be the last organisation to be breached via SMS authentication in the future.
“It took Twitter until late last year to finally implement a proper app-based MFA, which is four years wasted as rolling-out SMS-based MFA delayed a proper system and its value was very short-lived. At this point, the use of SMS-based MFA for administrators should be considered negligent,” he added.
“Security has evolved since SMS authentication and organisations need to do the same. SMS is not true multi-factor authentication, as it is sent from a network to the phone, giving hackers an opportunity to intercept this message and hijack the user account,” says Rashmi Knowles, Field CTO EMEA at RSA Security.
“Instead, it is vital that true multi-factor authentication is mandatory in a company’s security strategy. For example, proximity-based solutions or biometrics can provide a simple way for users to prove who they are, while also reducing the risk of a breach. By putting another wall of defence up that can’t be mimicked, organisations can effectively manage their digital risk and keep user data secure,” she adds.
According to Keith Graham, CTO at SecureAuth + Core Security, SMS-based two-factor authentication should be phased out by organisations in favour of comprehensive Identity controls. “Part of those controls should be to Implement adaptive authentication that combines techniques such as geographic location analysis, device recognition, IP reputation-based threat services, and phone fraud prevention to address the threats at the identity level efficiently,” he says.